Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.agent, Unable To Remove


  • This topic is locked This topic is locked
12 replies to this topic

#1 mumumash

mumumash

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 03 August 2008 - 05:41 AM

Hello all.
I felt using Malwarebytes' Anti-Malware would solve all my problems. About 30 infections showed, mostly trojan.vundo, trojan.agent and rootkit.agents and it told me for most of them that it would delete on reboot. So I reboot and they are still there. I found that using file assassin on the the files in question worked for most of the rootkits. Now I am only left with a Rootkit.Agent in C:/WINDOWS/System32/Drivers/Winek84.sys. This is letting trojan.agents in as one normally shows up in WinCntrl32.dll, even though I remove that file. I have attempted using Unlocker and File Assassin to delete Winek84.sys, both informed me that it would delete on reboot, but the file is still there. I have attempted to use Spyware Doctor, which cannot locate the rootkit.agent. Also my security program, McAfee, has been compromised, as taking a look at the recent history informed me that it had made changes so malware could enter the registry.
I am left with only one option, which is to format my PC. I am extremely reluctant to do this, so any help to remove Winek84.sys would save me grief. When I log onto my profile when I'm not in safemode, it goes so slow that it almost stops, so I reguarly use my pc in safemode now.
Deckard's System Scanner v20071014.68
Run by New Admin Shaggy on 2008-08-03 10:50:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-08-03 09:51:06 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2008-08-02 16:50:28 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 83% (more than 75%).

-- HijackThis (run as New Admin Shaggy.exe) ------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-03 10:59:57
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Documents and Settings\New Admin Shaggy\Desktop\dss.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\RTHDCPL.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\VirusScan\mcsysmon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

O2 - BHO: (no name) - {0373A8B9-44E0-4CB9-8844-B043C9DEBD59} - (no file)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: (no name) - {24F2250B-6D5A-4D37-917D-2EC96A37F056} - (no file)
O2 - BHO: (no name) - {55B56F12-202F-4DD1-A248-FC6D4DAB456F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7825C475-817B-4C53-8EE8-0AE8D93BFDB0} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {942579A6-F4BF-4582-823C-EEAD37B2A59B} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: (no name) - {AB6C157C-6379-4FDB-8468-92479E358A66} - (no file)
O2 - BHO: (no name) - {AC934E83-0A1C-4A90-8BE0-53191D6DDAA6} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {CADEB1E1-70C7-4690-A80E-81B439C603D1} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [\Win73.exe] C:\Windows\system32\Win73.exe
O4 - HKCU\..\Run: [\Win74.exe] C:\Windows\system32\Win74.exe
O4 - HKCU\..\Run: [\Win75.exe] C:\Windows\system32\Win75.exe
O4 - HKCU\..\Run: [\Win76.exe] C:\Windows\system32\Win76.exe
O4 - HKCU\..\Run: [\Win77.exe] C:\Windows\system32\Win77.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_06) - http://sdlc-esd.sun.com/ESD42/JSCDL/jre/6u...ows-i586-jc.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\system32\WinCtrl32.dll
O23 - Service: McAfee Application Installer Cleanup (0172591217454195) (0172591217454195mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\017259~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\msksrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe


--
End of file - 209641 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20080731-124657-735 O20 - Winlogon Notify: khfCvVll - khfCvVll.dll (file missing)
backup-20080802-142905-292 O2 - BHO: (no name) - {826A19BD-6A05-4591-9641-D17B29799BB6} - C:\WINDOWS\system32\hgGvwwVO.dll (file missing)
backup-20080802-150241-172 O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
backup-20080802-150338-378 O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing)
backup-20080802-152941-315 O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll

-- File Associations -----------------------------------------------------------

.ini - inifile - shell\open\command - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*
.txt - txtfile - shell\open\command - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Winek84 - c:\windows\system32\drivers\winek84.sys
R2 Haspnt - c:\windows\system32\drivers\haspnt.sys <Not Verified; Aladdin Knowledge Systems; Windows NT HASP Kernel Device Driver>
R2 Sentinel - c:\windows\system32\drivers\sentinel.sys <Not Verified; Rainbow Technologies, Inc.; Sentinel System Driver>

S0 UNPR - c:\windows\system32\unpr.sys (file missing)
S2 DS1410D - c:\windows\system32\drivers\ds1410d.sys (file missing)
S3 gdrv - c:\windows\gdrv.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
S3 Sntnlusb (Rainbow USB SuperPro) - c:\windows\system32\drivers\sntnlusb.sys <Not Verified; Rainbow Technologies Inc.; Rainbow Technologies USB Security Device Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S2 0172591217454195mcinstcleanup (McAfee Application Installer Cleanup (0172591217454195)) - c:\windows\temp\017259~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-08-03 11:00:33 422 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{9FDDAC4F-F58F-44CB-A954-28E5A005D3C4}.job
2008-08-02 17:48:11 276 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-05-03 10:32:48 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-03-28 22:42:29 340 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2008-03-28 22:42:28 332 --a------ C:\WINDOWS\Tasks\McQcTask.job


-- Files created between 2008-07-03 and 2008-08-03 -----------------------------

2008-08-03 10:03:17 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Sun
2008-08-02 15:07:02 16896 --a------ C:\WINDOWS\system32\WinCtrl32.dll
2008-08-02 14:55:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-08-02 14:55:49 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Uniblue
2008-08-02 13:57:02 588037 --ahs---- C:\WINDOWS\system32\OVwwvGgh.ini2
2008-08-02 11:04:24 0 d-------- C:\WINDOWS\BDOSCAN8
2008-08-01 20:59:11 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Help
2008-08-01 20:52:25 112640 --a------ C:\WINDOWS\system32\70534.exe
2008-08-01 20:52:21 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-08-01 20:32:20 99712 -----n--- C:\WINDOWS\system32\dyllxxpd.dll
2008-08-01 20:31:22 129920 -----n--- C:\WINDOWS\system32\sckqao.dll
2008-08-01 17:45:16 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\Malwarebytes
2008-08-01 16:23:23 0 d-------- C:\Program Files\Common Files\PC Tools
2008-08-01 16:22:53 0 d-------- C:\Program Files\Spyware Doctor
2008-08-01 16:22:53 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\PC Tools
2008-08-01 16:21:32 119808 --a------ C:\Program Files\VundoFix.exe <Not Verified; Atribune.org; VundoFix>
2008-08-01 15:26:30 0 d-------- C:\Documents and Settings\Admin\Application Data\Malwarebytes
2008-08-01 15:19:23 2015 -r-h----- C:\WINDOWS\system32\drivers\hosts
2008-08-01 15:19:13 0 d-------- C:\Program Files\RogueRemover PRO
2008-08-01 15:18:59 0 d-------- C:\Program Files\Common Files\Download Manager
2008-08-01 15:16:51 0 dr-h----- C:\Documents and Settings\Administrator.HIPOINT.001\Recent
2008-08-01 15:15:19 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-01 14:36:03 129920 --a------ C:\WINDOWS\system32\fsxwslmy.dll
2008-07-31 19:17:20 0 dr-h----- C:\Documents and Settings\New Admin Shaggy\Recent
2008-07-31 17:10:36 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-31 16:58:39 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Malwarebytes
2008-07-31 16:58:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-31 12:50:34 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-07-31 12:40:13 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Talkback
2008-07-31 12:39:37 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Mozilla
2008-07-31 12:39:23 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Real
2008-07-31 08:25:19 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Macromedia
2008-07-31 08:15:07 388608 --a------ C:\WINDOWS\system32\CF30977.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-31 08:03:44 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Adobe
2008-07-31 07:59:50 0 d--h----- C:\Documents and Settings\Administrator.HIPOINT.001\Templates
2008-07-31 07:59:50 0 dr------- C:\Documents and Settings\Administrator.HIPOINT.001\Start Menu
2008-07-31 07:59:50 0 dr-h----- C:\Documents and Settings\Administrator.HIPOINT.001\SendTo
2008-07-31 07:59:50 0 d--h----- C:\Documents and Settings\Administrator.HIPOINT.001\PrintHood
2008-07-31 07:59:50 1572864 --ah----- C:\Documents and Settings\Administrator.HIPOINT.001\NTUSER.DAT
2008-07-31 07:59:50 0 d--h----- C:\Documents and Settings\Administrator.HIPOINT.001\NetHood
2008-07-31 07:59:50 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\My Documents
2008-07-31 07:59:50 0 d--h----- C:\Documents and Settings\Administrator.HIPOINT.001\Local Settings
2008-07-31 07:59:50 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Favorites
2008-07-31 07:59:50 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Desktop
2008-07-31 07:59:50 0 d--hs---- C:\Documents and Settings\Administrator.HIPOINT.001\Cookies
2008-07-31 07:59:50 0 dr-h----- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data
2008-07-31 07:59:50 0 d---s---- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Microsoft
2008-07-30 22:35:35 633833 --ahs---- C:\WINDOWS\system32\eghkQXbc.ini2
2008-07-15 19:23:20 593306 --ahs---- C:\WINDOWS\system32\JkjkRqru.ini2
2008-07-15 07:34:13 596666 --ahs---- C:\WINDOWS\system32\MmnXabeg.ini2
2008-07-14 07:28:02 558 --ahs---- C:\WINDOWS\system32\jQXxayxx.ini2
2008-07-13 18:48:49 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\AVSMedia
2008-07-13 18:46:26 433 --ahs---- C:\WINDOWS\system32\YacKknnn.ini2
2008-07-13 18:31:35 638976 --a------ C:\WINDOWS\system32\divx.dll <Not Verified; DivXNetworks, Inc.; DivX Video for Windows Codec>
2008-07-08 21:12:51 0 d-------- C:\Documents and Settings\Admin\Program Files
2008-07-08 21:12:48 0 d-------- C:\Documents and Settings\Admin\Application Data\BitTorrent
2008-07-08 21:09:05 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\DAEMON Tools
2008-07-08 20:59:41 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\BitTorrent
2008-07-08 20:58:57 0 d-------- C:\Program Files\DNA
2008-07-08 20:58:57 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\DNA
2008-07-08 20:58:55 0 d-------- C:\Program Files\BitTorrent
2008-07-08 17:58:30 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\Talkback
2008-07-08 17:58:17 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\Mozilla
2008-07-08 17:48:06 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\Real
2008-07-07 20:40:00 0 d-------- C:\Program Files\Common Files\xing shared
2008-07-07 20:39:32 0 d-------- C:\Program Files\Real
2008-07-07 20:39:28 0 d-------- C:\Program Files\Common Files\Real
2008-07-07 20:39:25 0 d-------- C:\Documents and Settings\Admin\Application Data\Real
2008-07-07 20:39:12 0 d-------- C:\Documents and Settings\Admin\Application Data\Talkback
2008-07-07 20:38:34 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-07 20:38:17 0 d-------- C:\Documents and Settings\Admin\Application Data\Mozilla
2008-07-07 20:28:10 0 d-------- C:\Program Files\Bethesda Softworks
2008-07-07 16:24:15 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-07-07 16:09:46 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-07 16:09:46 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-07 16:09:46 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-07 16:09:46 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-07-07 16:09:46 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-07 16:09:46 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-07 16:09:46 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-07 16:09:46 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-07-07 16:09:46 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-07 16:09:46 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-07 16:09:46 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-07 16:09:46 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-07-07 16:09:46 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-07 16:09:46 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-04 08:00:50 0 dr-h----- C:\Documents and Settings\Admin\Recent


-- Find3M Report ---------------------------------------------------------------

2008-08-02 15:08:07 0 d-------- C:\Program Files\Steam
2008-08-01 17:53:35 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\Adobe
2008-08-01 16:23:23 0 d-------- C:\Program Files\Common Files
2008-08-01 14:26:14 0 d-------- C:\Program Files\EA GAMES
2008-07-30 22:42:42 0 d-------- C:\Program Files\McAfee
2008-07-14 18:29:31 0 d-------- C:\Program Files\Common Files\AVSMedia
2008-07-11 17:18:27 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-07 19:02:39 0 d-------- C:\Program Files\Windows Live Toolbar
2008-06-08 12:20:21 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\Sun
2008-06-08 12:15:10 0 d-------- C:\Program Files\Sun
2008-06-08 12:14:58 0 d-------- C:\Program Files\Java
2008-06-08 12:14:04 0 d-------- C:\Program Files\Common Files\Java


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0373A8B9-44E0-4CB9-8844-B043C9DEBD59}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24F2250B-6D5A-4D37-917D-2EC96A37F056}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55B56F12-202F-4DD1-A248-FC6D4DAB456F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7825C475-817B-4C53-8EE8-0AE8D93BFDB0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{942579A6-F4BF-4582-823C-EEAD37B2A59B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AB6C157C-6379-4FDB-8468-92479E358A66}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AC934E83-0A1C-4A90-8BE0-53191D6DDAA6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CADEB1E1-70C7-4690-A80E-81B439C603D1}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [28/03/2008 22:41 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [28/03/2008 23:47 C:\WINDOWS\SkyTel.exe]
"Alcmtr"="ALCMTR.EXE" [28/03/2008 23:47 C:\WINDOWS\Alcmtr.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [18/04/2006 16:40]
"nwiz"="nwiz.exe" [28/03/2008 23:47 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [18/04/2006 16:40]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 03:06]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [01/11/2007 20:12]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [24/08/2007 22:57]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [30/11/2007 06:42]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28/03/2008 23:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [25/03/2008 04:28]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07/07/2008 20:39]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [16/07/2008 09:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [28/03/2008 22:41]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [23/03/2008 23:01]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [08/07/2008 20:58]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" []
"\Win73.exe"="C:\Windows\system32\Win73.exe" []
"\Win74.exe"="C:\Windows\system32\Win74.exe" []
"\Win75.exe"="C:\Windows\system32\Win75.exe" []
"\Win76.exe"="C:\Windows\system32\Win76.exe" []
"\Win77.exe"="C:\Windows\system32\Win77.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll 03/08/2008 10:49 16896 C:\WINDOWS\system32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winek84.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

7432 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-03 11:10:03 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3500+
Percentage of Memory in Use: 63%
Physical Memory (total/avail): 511.48 MiB / 185.83 MiB
Pagefile Memory (total/avail): 2528.1 MiB / 1943.68 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1941.23 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 149.04 GiB total, 35.8 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 6V160E0 - 149.05 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 149.04 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: McAfee Personal Firewall v (McAfee)
AV: Spyware Doctor with AntiVirus v (PC Tools)
AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\Bf2_w32ded.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\Bf2_w32ded.exe:*:Enabled:Bf2_w32ded"
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"="C:\\Program Files\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"F:\\Civilization IV Incl Crack\\Crack\\Civ4v109.exe"="F:\\Civilization IV Incl Crack\\Crack\\Civ4v109.exe:*:Enabled:Civ4v109"
"C:\\Program Files\\Autodesk\\Maya2008\\bin\\maya.exe"="C:\\Program Files\\Autodesk\\Maya2008\\bin\\maya.exe:*:Enabled:Maya"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"="C:\\Program Files\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\\Program Files\\EA GAMES\\Battlefield 2\\Bf2_w32ded.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2\\Bf2_w32ded.exe:*:Enabled:Bf2_w32ded"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\WINDOWS\\system32\\userinit.exe"="C:\\WINDOWS\\system32\\userinit.exe:*:enabled:@shell32.dll,-1"
"C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"="C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe:*:enabled:@shell32.dll,-1"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Documents and Settings\\Admin\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"="C:\\Documents and Settings\\Admin\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"="C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Documents and Settings\\Admin\\Program Files\\BitTorrent\\BitTorrent.exe"="C:\\Documents and Settings\\Admin\\Program Files\\BitTorrent\\BitTorrent.exe:*:Enabled:BitTorrent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\New Admin Shaggy\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HIPOINT
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\New Admin Shaggy
LOGONSERVER=\\HIPOINT
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Autodesk\Maya2008\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 95 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=5f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\NEWADM~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\NEWADM~1\LOCALS~1\Temp
USERDOMAIN=HIPOINT
USERNAME=New Admin Shaggy
USERPROFILE=C:\Documents and Settings\New Admin Shaggy
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Admin
New Admin Shaggy (admin)
Administrator.HIPOINT.001 (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
Autodesk DirectConnect 2.0 --> MsiExec.exe /I{C033BF6E-9D82-4E0B-A46E-ABC746D6F431}
Battlefield 2: Deluxe Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{04858915-9F49-4B2A-AED4-DC49A7DE6A7B}\setup.exe" -l0x9 -removeonly
BitTorrent --> C:\Program Files\BitTorrent\uninst.exe
Black & White® 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D9E52CD1-9DF1-4A8A-9BDC-1E5E53982F2B}\setup.exe" -l0x9 -removeonly
DNA --> "C:\Program Files\DNA\btdna.exe" /UNINSTALL
Fable - The Lost Chapters --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{C3C9EB3D-24FA-4462-B784-0EC6AAFCD2DD}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Guitar Pro 5.0 --> "C:\Program Files\Guitar Pro 5\unins000.exe"
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
Highlight Viewer (Windows Live Toolbar) --> MsiExec.exe /X{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}
HijackThis 1.99.1 --> C:\Program Files\HijackThis\HijackThis.exe /uninstall
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
LiveUpdate BVRP Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe" -l0x9
Macromedia Flash MX 2004 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2F353D44-73BB-4971-B31D-F7642E9E9531}\Setup.exe" -l0x9 UNINSTALL
Macromedia Flash Player 8 --> MsiExec.exe /X{885A63EA-382B-4DD4-A755-14809B8557D6}
Macromedia Flash Player 8 Plugin --> MsiExec.exe /X{91057632-CA70-413C-B628-2D3CDBBB906B}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Map Button (Windows Live Toolbar) --> MsiExec.exe /X{7745B7A9-F323-4BB9-9811-01BF57A028DA}
Maya 2008 --> MsiExec.exe /I{DA864DC0-0BF2-454B-A6A9-08A45EB97D3B}
Maya 2008 Documentation (en_US) --> MsiExec.exe /I{6C70ACE2-6EF2-4F8D-8C4A-78198AA979DD}
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
mobile PhoneTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F18E8A0F-BE99-4305-96A5-6C0FD9D7D999}\setup.exe" -l0x9
Mozilla Firefox (2.0) --> C:\Program Files\Mozilla Firefox\uninstall\uninst.exe
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Oblivion --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{35CB6715-41F8-4F99-8881-6FC75BF054B0}\setup.exe" -l0x9 -removeonly
Oblivion - Horse Armor Pack --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3ABEBD00-299D-4DCA-967F-B912163AB5EA}\setup.exe" -l0x9 -removeonly
Oblivion - Knights of the Nine --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14C87AA7-08E6-419F-A165-998EBE5023D7}\setup.exe" -l0x9 -removeonly
Oblivion - Mehrunes Razor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF295F5C-7B57-47AA-8889-6B3E8E214E89}\setup.exe" -l0x9 -removeonly
Oblivion - Orrery --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EC425CFC-EE78-4A91-AA25-3BFA65B75364}\setup.exe" -l0x9 -removeonly
Oblivion - Spell Tomes --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{16D919E6-F019-4E15-BFBE-4A85EF19DA57}\setup.exe" -l0x9 -removeonly
Oblivion - Thieves Den --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FFFFFD17-B460-41EB-93F1-C48ABAD63828}\setup.exe" -l0x9 -removeonly
Oblivion - Vile Lair --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{520F4B09-3A51-47A2-82B0-9FF1DC2D20FA}\setup.exe" -l0x9 -removeonly
Oblivion - Wizard's Tower --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2F2E3D62-8B8C-448F-8900-451325E50948}\setup.exe" -l0x9 -removeonly
Oblivion mod manager 1.1.10 --> "C:\Program Files\Bethesda Softworks\Oblivion\obmm\uninstall\unins000.exe"
openCanvas4.06E Plus --> MsiExec.exe /X{C22404E3-371D-46A3-A633-C7094DDE7274}
OpenOffice.org Installer 1.0 --> MsiExec.exe /X{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Smart Menus (Windows Live Toolbar) --> MsiExec.exe /X{F084395C-40FB-4DB3-981C-B51E74E1E83D}
Spyware Doctor 6.0 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
The Movies™ Stunts & Effects --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{0556F885-2415-4666-B53E-33727E46AEA1} /l1033
The Sims 2 --> C:\Program Files\EA GAMES\The Sims 2\EAUninstall.exe
The Sims 2 Nightlife --> C:\Program Files\EA GAMES\The Sims 2 Nightlife\EAUninstall.exe
The Sims 2 Open For Business --> C:\Program Files\EA GAMES\The Sims 2 Open For Business\EAUninstall.exe
The Sims 2 Pets --> C:\Program Files\EA GAMES\The Sims 2 Pets\EAUninstall.exe
The Sims 2 University --> C:\Program Files\EA GAMES\The Sims 2 University\EAUninstall.exe
The Sims™ 2 Bon Voyage --> C:\Program Files\EA GAMES\The Sims 2 Bon Voyage\EAUninstall.exe
The Sims™ 2 Seasons --> C:\Program Files\EA GAMES\The Sims 2 Seasons\EAUninstall.exe
Unlocker 1.8.7 --> C:\Program Files\Unlocker\uninst.exe
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0) --> C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /d /u C:\WINDOWS\system32\DRVSTORE\amdk8_6FE44FCD212D4A086C7BC0C98B9A619782073FB7\amdk8.inf
Windows Live Favorites for Windows Live Toolbar --> MsiExec.exe /X{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar --> MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{341201D4-4F61-4ADB-987E-9CCE4D83A58D}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type2014 / Error
Event Submitted/Written: 08/02/2008 05:46:27 PM / 08/02/2008 05:46:28 PM
Event ID/Source: 5051 / McLogEvent
Event Description:
A thread in process C:\Program Files\McAfee\VirusScan\McShield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 1140 (0x474)

Thread address : 0x7C90EB94

Thread message :

Build VSCORE.14.0.0.349 / 5200.2160
Object being scanned = \Device\HarddiskVolume1\Program Files\Spyware Doctor\avdb\temp\58C54811.vbt
by C:\Program Files\Spyware Doctor\pctsSvc.exe
22304(20000)(0)
22302(20000)(0)
22301(20000)(0)
226(20000)(0)
223(20000)(0)
220(20000)(0)
4(0)(0)
4(0)(0)

Event Record #/Type2007 / Error
Event Submitted/Written: 08/02/2008 02:24:12 PM
Event ID/Source: 1015 / Winlogon
Event Description:
A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code c0000005. The machine
must now be restarted.

Event Record #/Type2003 / Error
Event Submitted/Written: 08/02/2008 10:23:14 AM
Event ID/Source: 1008 / MsiInstaller
Event Description:
The installation of C:\Program Files\Common Files\Wise Installation Wizard\WISCDDCBBF1270346BC938BBCC81A1EEAAA_4_15_0_1000.MSI is not permitted due to an error in software restriction policy processing. The object cannot be trusted.

Event Record #/Type1995 / Warning
Event Submitted/Written: 08/01/2008 06:29:07 PM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C

Event Record #/Type1994 / Error
Event Submitted/Written: 08/01/2008 06:25:38 PM
Event ID/Source: 0 / .NET Runtime
Event Description:
Unable to open shim database version registry key - v2.0.50727.00000



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4311 / Error
Event Submitted/Written: 08/03/2008 10:59:55 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {7323885B-407F-4839-9695-96F545FF6286} did not register with DCOM within the required timeout.

Event Record #/Type4310 / Error
Event Submitted/Written: 08/03/2008 10:57:21 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Application Layer Gateway Service service failed to start due to the following error:
%%1053

Event Record #/Type4309 / Error
Event Submitted/Written: 08/03/2008 10:56:55 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.

Event Record #/Type4308 / Error
Event Submitted/Written: 08/03/2008 10:56:09 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Computer Browser service terminated with the following error:
%%1460

Event Record #/Type4296 / Error
Event Submitted/Written: 08/03/2008 10:52:57 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The IMAPI CD-Burning COM Service service failed to start due to the following error:
%%1053



-- End of Deckard's System Scanner: finished at 2008-08-03 11:10:03 ------------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, August 3, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 03, 2008 08:55:11
Records in database: 1047736
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:
C:\WINDOWS\system32

Scan statistics:
Files scanned: 5626
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 00:03:28


File name / Threat name / Threats count
C:\WINDOWS\system32\70534.exe Infected: Backdoor.Win32.Qmop.a 1
C:\WINDOWS\system32\dyllxxpd.dll Infected: Trojan.Win32.Monder.bxx 1
C:\WINDOWS\system32\sckqao.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bzy 1

The selected area was scanned.


I hope this information will help you help me.

BC AdBot (Login to Remove)

 


m

#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:39 AM

Posted 03 August 2008 - 06:24 AM

Hello mumumash

Welcome to BleepingComputer :thumbsup:
========================
Please visit this web page for instructions for downloading and running Combofix >ComboFix Instructions
We now suggest that you install the Windows Recovery Console.
The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Post the log from ComboFix when you've accomplished all of that, along with a new HijackThis log.

(Note:If the Recovery Console fails to install then do not proceed rather alert me and post back here we will continue)
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 mumumash

mumumash
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 03 August 2008 - 08:44 AM

Hi Kahdah, thanks for the prompt reply.

I followed your instructions, installed the Windows Recovery Console through Combofix and then ran a scan on Combofix. After the reboot, the Combofix blue box appeared and told me not to use other programs until it had finished, I waited and "Could not find file path specified appeared" 4 times. I believed it had crashed and just as I closed it, I saw the creating txt file is being created message. So I do not have the Combofix log, sorry, it was a rather foolish mistake. But I can give you some of the text files found in C:/QooBox folder/Combofix-quarantined-files:

2008-07-13 20:31 433 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\YacKknnn.ini2.vir
2008-07-13 20:33 433 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\YacKknnn.ini.vir
2008-07-14 18:31 558 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jQXxayxx.ini2.vir
2008-07-14 18:34 558 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jQXxayxx.ini.vir
2008-07-15 07:32 1880071 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\qppwrura.ini.vir
2008-07-15 17:53 143 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mcrh.tmp.vir
2008-07-15 19:14 596666 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\MmnXabeg.ini2.vir
2008-07-15 19:15 596666 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\MmnXabeg.ini.vir
2008-07-15 19:50 593306 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\JkjkRqru.ini2.vir
2008-07-15 19:53 593357 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\JkjkRqru.ini.vir
2008-07-30 22:39 2805764 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\fcbsflgh.ini.vir
2008-07-31 07:53 633833 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\eghkQXbc.ini.vir
2008-07-31 07:53 633833 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\eghkQXbc.ini2.vir
2008-07-31 08:25 1488052 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\eahrpgvq.ini.vir
2008-08-02 10:13 112640 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\70534.exe.vir
2008-08-02 10:51 31616 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\Winek84.sys.vir
2008-08-02 14:21 588037 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\OVwwvGgh.ini2.vir
2008-08-02 14:23 588037 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\OVwwvGgh.ini.vir
2008-08-03 12:17 16896 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\WinCtrl32.dll.vir
2008-08-03 13:19 1262 --a------ C:\Qoobox\Quarantine\Registry_backups\Legacy_WINEK84.reg.dat
2008-08-03 13:19 20658 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\Winek84.sys.zip
2008-08-03 13:19 2068 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_Winek84.reg.dat
2008-08-03 13:20 398 --a------ C:\Qoobox\Quarantine\catchme.log
2008-08-03 13:20 517 --a------ C:\Qoobox\Quarantine\catchme2008-08-03_132009.59.zip
2008-08-03 13:50 0 --a------ C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-08-03 13:50 0 --a------ C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-08-03 13:50 0 --a------ C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-08-03 13:52 146 --a------ C:\Qoobox\Quarantine\Registry_backups\ShellExecuteHooks-{95DEA057-EFA7-48E6-BDD1-91457F651EA8}.reg.dat
2008-08-03 13:52 164 --a------ C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-DAEMON Tools Lite.reg.dat

And from C/:QooBox/Quarantine folder/catchme.log:

file zipped: C:\WINDOWS\system32\drivers\Winek84.sys -> catchme.zip -> Winek84.sys ( 31616 bytes )
file "C:\WINDOWS\system32\drivers\Winek84.sys" replaced successfully

-------- 2008-08-03 - 13:20:05.87 -------------

file zipped: C:\WINDOWS\system32\drivers\Winek84.sys -> catchme.zip -> Winek84.sys ( 31616 bytes )
file "C:\WINDOWS\system32\drivers\Winek84.sys" replaced successfully


After seeing this, I ran a scan on MBAM and no infections showed. I logged on with no safe mode to run the DSS, to give you the HiJack log, but it ran so slow that DSS couldn't even open. It seems that that now that the rootkit is gone, the performance is still down.

What should I do now?

Thanks

Mumumash

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:39 AM

Posted 03 August 2008 - 09:59 AM

See if the log is located here > C:\Combofix.txt
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 mumumash

mumumash
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 03 August 2008 - 10:01 AM

I've checked, it isn't.

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:39 AM

Posted 03 August 2008 - 10:03 AM

Please double click on dss to run it I wll need you to be patient and let it finish running.
Post the main.txt it will produce.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 mumumash

mumumash
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 03 August 2008 - 10:58 AM

Deckard's System Scanner v20071014.68
Run by New Admin Shaggy on 2008-08-03 16:15:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as New Admin Shaggy.exe) ------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-03 16:16:49
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\RTHDCPL.exe
C:\Documents and Settings\New Admin Shaggy\Desktop\dss.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\McAfee.com\Agent\mcupdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\MSC\mcupdmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} () - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_06) - http://sdlc-esd.sun.com/ESD42/JSCDL/jre/6u...ows-i586-jc.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} () - http://crucial.com/controls/cpcScanner.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: McAfee Application Installer Cleanup (0172591217454195) (0172591217454195mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\017259~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\msksrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe


--
End of file - 10932 bytes

-- Files created between 2008-07-03 and 2008-08-03 -----------------------------

2008-08-03 14:50:18 0 d-------- C:\VundoFix Backups
2008-08-03 13:20:11 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-08-03 13:16:14 388608 --a------ C:\WINDOWS\system32\CF18937.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-08-03 13:13:12 0 d-------- C:\cmdcons
2008-08-03 13:12:35 68096 --a------ C:\WINDOWS\zip.exe
2008-08-03 13:12:35 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-03 13:12:35 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-03 13:12:35 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-03 13:12:35 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-03 13:12:35 98816 --a------ C:\WINDOWS\sed.exe
2008-08-03 13:12:35 80412 --a------ C:\WINDOWS\grep.exe
2008-08-03 13:12:35 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-03 10:03:17 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Sun
2008-08-02 14:55:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-08-02 14:55:49 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Uniblue
2008-08-02 11:04:24 0 d-------- C:\WINDOWS\BDOSCAN8
2008-08-01 20:59:11 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Help
2008-08-01 20:52:21 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-08-01 20:32:20 99712 -----n--- C:\WINDOWS\system32\dyllxxpd.dll
2008-08-01 20:31:22 129920 -----n--- C:\WINDOWS\system32\sckqao.dll
2008-08-01 17:45:16 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\Malwarebytes
2008-08-01 16:23:23 0 d-------- C:\Program Files\Common Files\PC Tools
2008-08-01 16:22:53 0 d-------- C:\Program Files\Spyware Doctor
2008-08-01 16:22:53 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\PC Tools
2008-08-01 16:21:32 119808 --a------ C:\Program Files\VundoFix.exe <Not Verified; Atribune.org; VundoFix>
2008-08-01 15:26:30 0 d-------- C:\Documents and Settings\Admin\Application Data\Malwarebytes
2008-08-01 15:19:23 2015 -r-h----- C:\WINDOWS\system32\drivers\hosts
2008-08-01 15:18:59 0 d-------- C:\Program Files\Common Files\Download Manager
2008-08-01 15:16:51 0 dr-h----- C:\Documents and Settings\Administrator.HIPOINT.001\Recent
2008-08-01 15:15:19 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-01 14:36:03 129920 --a------ C:\WINDOWS\system32\fsxwslmy.dll
2008-07-31 19:17:20 0 dr-h----- C:\Documents and Settings\New Admin Shaggy\Recent
2008-07-31 17:10:36 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-31 16:58:39 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Malwarebytes
2008-07-31 16:58:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-31 12:50:34 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-07-31 12:40:13 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Talkback
2008-07-31 12:39:37 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Mozilla
2008-07-31 12:39:23 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Real
2008-07-31 08:25:19 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Macromedia
2008-07-31 08:03:44 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Adobe
2008-07-31 07:59:50 0 d--h----- C:\Documents and Settings\Administrator.HIPOINT.001\Templates
2008-07-31 07:59:50 0 dr------- C:\Documents and Settings\Administrator.HIPOINT.001\Start Menu
2008-07-31 07:59:50 0 dr-h----- C:\Documents and Settings\Administrator.HIPOINT.001\SendTo
2008-07-31 07:59:50 0 d--h----- C:\Documents and Settings\Administrator.HIPOINT.001\PrintHood
2008-07-31 07:59:50 1572864 --ah----- C:\Documents and Settings\Administrator.HIPOINT.001\NTUSER.DAT
2008-07-31 07:59:50 0 d--h----- C:\Documents and Settings\Administrator.HIPOINT.001\NetHood
2008-07-31 07:59:50 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\My Documents
2008-07-31 07:59:50 0 d--h----- C:\Documents and Settings\Administrator.HIPOINT.001\Local Settings
2008-07-31 07:59:50 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Favorites
2008-07-31 07:59:50 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Desktop
2008-07-31 07:59:50 0 d--hs---- C:\Documents and Settings\Administrator.HIPOINT.001\Cookies
2008-07-31 07:59:50 0 dr-h----- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data
2008-07-31 07:59:50 0 d---s---- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Microsoft
2008-07-13 18:48:49 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\AVSMedia
2008-07-13 18:31:35 638976 --a------ C:\WINDOWS\system32\divx.dll <Not Verified; DivXNetworks, Inc.; DivX Video for Windows Codec>
2008-07-08 21:12:51 0 d-------- C:\Documents and Settings\Admin\Program Files
2008-07-08 21:12:48 0 d-------- C:\Documents and Settings\Admin\Application Data\BitTorrent
2008-07-08 21:09:05 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\DAEMON Tools
2008-07-08 20:59:41 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\BitTorrent
2008-07-08 20:58:57 0 d-------- C:\Program Files\DNA
2008-07-08 20:58:57 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\DNA
2008-07-08 20:58:55 0 d-------- C:\Program Files\BitTorrent
2008-07-08 17:58:30 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\Talkback
2008-07-08 17:58:17 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\Mozilla
2008-07-08 17:48:06 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\Real
2008-07-07 20:40:00 0 d-------- C:\Program Files\Common Files\xing shared
2008-07-07 20:39:32 0 d-------- C:\Program Files\Real
2008-07-07 20:39:28 0 d-------- C:\Program Files\Common Files\Real
2008-07-07 20:39:25 0 d-------- C:\Documents and Settings\Admin\Application Data\Real
2008-07-07 20:39:12 0 d-------- C:\Documents and Settings\Admin\Application Data\Talkback
2008-07-07 20:38:34 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-07 20:38:17 0 d-------- C:\Documents and Settings\Admin\Application Data\Mozilla
2008-07-07 20:28:10 0 d-------- C:\Program Files\Bethesda Softworks
2008-07-07 16:24:15 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-07-07 16:09:46 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-07 16:09:46 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-07 16:09:46 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-07 16:09:46 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-07-07 16:09:46 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-07 16:09:46 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-07 16:09:46 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-07 16:09:46 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-07-07 16:09:46 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-07 16:09:46 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-07 16:09:46 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-07 16:09:46 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-07-07 16:09:46 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-07 16:09:46 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-04 08:00:50 0 dr-h----- C:\Documents and Settings\Admin\Recent


-- Find3M Report ---------------------------------------------------------------

2008-08-03 13:17:53 0 d-------- C:\Program Files\Common Files
2008-08-02 15:08:07 0 d-------- C:\Program Files\Steam
2008-08-01 17:53:35 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\Adobe
2008-08-01 14:26:14 0 d-------- C:\Program Files\EA GAMES
2008-07-30 22:42:42 0 d-------- C:\Program Files\McAfee
2008-07-14 18:29:31 0 d-------- C:\Program Files\Common Files\AVSMedia
2008-07-11 17:18:27 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-07 19:02:39 0 d-------- C:\Program Files\Windows Live Toolbar
2008-06-08 12:20:21 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\Sun
2008-06-08 12:15:10 0 d-------- C:\Program Files\Sun
2008-06-08 12:14:58 0 d-------- C:\Program Files\Java
2008-06-08 12:14:04 0 d-------- C:\Program Files\Common Files\Java


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-28 22:41 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2008-03-28 23:47 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-18 16:40]
"nwiz"="nwiz.exe" [2008-03-28 23:47 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-04-18 16:40]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 20:12]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-08-24 22:57]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 06:42]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-07-07 20:39]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-07-16 09:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-03-28 22:41]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-03-23 23:01]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-07-08 20:58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc




-- End of Deckard's System Scanner: finished at 2008-08-03 16:37:40 ------------

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:39 AM

Posted 03 August 2008 - 01:20 PM

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.bleepingcomputer.com/forums/t/161193/rootkitagent-unable-to-remove/?p=900334

Collect::
C:\WINDOWS\system32\dyllxxpd.dll
C:\WINDOWS\system32\sckqao.dll
C:\WINDOWS\system32\fsxwslmy.dll

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. Additonally, ComboFix will generate the following files on your desktop
  • A zipped file on your desktop called Submit [Date Time].zip
  • And another file named - CF-Submit.htm
6. ComboFix may need to reboot to finish its work. Let it.

7. When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

8. If CF-Submit.htm is detected, ComboFix will generate this message box:

Posted Image

Clicking OK will cause the machine's browser to load CF-Submit.htm

Posted Image

9. Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
  • Click on the file to Select it.
  • Submit the file by clicking "OK"
10. Once the file has been submitted, please DELETE both files on your desktop.

11. Post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log (run after ComboFix has finished its work.)

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 mumumash

mumumash
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 04 August 2008 - 02:54 AM

ComboFix 08-08-02.01 - New Admin Shaggy 2008-08-03 19:56:58.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.268 [GMT 1:00]
Running from: C:\Documents and Settings\New Admin Shaggy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\New Admin Shaggy\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dyllxxpd.dll
C:\WINDOWS\system32\fsxwslmy.dll
C:\WINDOWS\system32\sckqao.dll
.
---- Previous Run -------
.
C:\WINDOWS\system32\70534.exe
C:\WINDOWS\system32\drivers\Winek84.sys
C:\WINDOWS\system32\eahrpgvq.ini
C:\WINDOWS\system32\eghkQXbc.ini
C:\WINDOWS\system32\eghkQXbc.ini2
C:\WINDOWS\system32\fcbsflgh.ini
C:\WINDOWS\system32\JkjkRqru.ini
C:\WINDOWS\system32\JkjkRqru.ini2
C:\WINDOWS\system32\jQXxayxx.ini
C:\WINDOWS\system32\jQXxayxx.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MmnXabeg.ini
C:\WINDOWS\system32\MmnXabeg.ini2
C:\WINDOWS\system32\OVwwvGgh.ini
C:\WINDOWS\system32\OVwwvGgh.ini2
C:\WINDOWS\system32\qppwrura.ini
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\system32\YacKknnn.ini
C:\WINDOWS\system32\YacKknnn.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINEK84
-------\Service_Winek84


((((((((((((((((((((((((( Files Created from 2008-07-03 to 2008-08-03 )))))))))))))))))))))))))))))))
.

2008-08-03 14:50 . 2008-08-03 14:50 <DIR> d-------- C:\VundoFix Backups
2008-08-03 10:50 . 2008-08-03 16:14 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-03 10:50 . 2008-08-03 10:50 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-03 10:04 . 2008-08-03 10:04 <DIR> d-------- C:\Deckard
2008-08-02 14:55 . 2008-08-02 14:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-08-02 14:55 . 2008-08-02 14:55 <DIR> d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Uniblue
2008-08-02 14:06 . 2008-08-02 14:06 <DIR> d-------- C:\Program Files\Unlocker
2008-08-02 11:04 . 2008-08-02 13:00 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-08-02 09:26 . 2008-07-24 10:00 645,672 --a------ C:\Program Files\autoruns.exe
2008-08-01 20:52 . 2008-08-02 11:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-08-01 20:29 . 2008-08-01 18:48 160,648 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-08-01 17:45 . 2008-08-01 17:45 <DIR> d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\Malwarebytes
2008-08-01 16:23 . 2008-08-01 20:29 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-08-01 16:22 . 2008-08-03 19:52 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-01 16:22 . 2008-08-01 16:22 <DIR> d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\PC Tools
2008-08-01 16:22 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-08-01 16:22 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-08-01 16:22 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-08-01 16:22 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-08-01 16:21 . 2008-08-01 16:21 119,808 --a------ C:\Program Files\VundoFix.exe
2008-08-01 15:26 . 2008-08-01 15:26 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Malwarebytes
2008-08-01 15:19 . 2008-08-01 15:19 2,015 -r-h----- C:\WINDOWS\system32\drivers\hosts
2008-08-01 15:18 . 2008-08-01 15:18 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-01 15:15 . 2008-08-01 15:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-01 15:15 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-01 15:15 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-01 14:29 . 2008-08-01 14:29 33,664 --a------ C:\WINDOWS\system32\opnnklLd.dll.vir
2008-07-31 17:10 . 2008-07-31 17:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-31 16:58 . 2008-07-31 16:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-31 16:58 . 2008-07-31 16:58 <DIR> d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Malwarebytes
2008-07-31 12:50 . 2008-07-31 12:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-07-31 12:40 . 2008-07-31 12:40 <DIR> d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Talkback
2008-07-31 07:59 . 2008-08-01 15:16 <DIR> d-------- C:\Documents and Settings\Administrator.HIPOINT.001
2008-07-13 20:17 . 2008-08-01 15:04 369 --a------ C:\WINDOWS\wininit.ini
2008-07-13 18:48 . 2008-07-13 18:48 <DIR> d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\AVSMedia
2008-07-13 18:31 . 2003-05-22 12:26 638,976 --a------ C:\WINDOWS\system32\divx.dll
2008-07-13 18:31 . 2003-05-22 12:26 221,215 --a------ C:\WINDOWS\system32\divxdec.ax
2008-07-11 17:12 . 2008-07-11 17:12 32 --a------ C:\WINDOWS\CD_Start.INI
2008-07-08 21:12 . 2008-07-08 21:12 <DIR> d-------- C:\Documents and Settings\Admin\Program Files
2008-07-08 21:12 . 2008-08-01 14:21 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\BitTorrent
2008-07-08 21:09 . 2008-07-08 21:09 <DIR> d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\DAEMON Tools
2008-07-08 20:59 . 2008-07-09 07:13 <DIR> d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\BitTorrent
2008-07-08 20:58 . 2008-07-08 20:58 <DIR> d-------- C:\Program Files\DNA
2008-07-08 20:58 . 2008-07-08 20:59 <DIR> d-------- C:\Program Files\BitTorrent
2008-07-08 20:58 . 2008-08-03 16:45 <DIR> d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\DNA
2008-07-08 17:58 . 2008-07-08 17:58 <DIR> d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\Talkback
2008-07-07 20:42 . 2008-07-07 20:42 25 --a------ C:\WINDOWS\cdplayer.ini
2008-07-07 20:40 . 2008-07-07 20:40 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-07-07 20:39 . 2008-07-07 20:39 <DIR> d-------- C:\Program Files\Real
2008-07-07 20:39 . 2008-07-07 20:39 <DIR> d-------- C:\Program Files\Common Files\Real
2008-07-07 20:39 . 2008-07-07 20:39 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Talkback
2008-07-07 20:38 . 2008-07-07 20:38 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-07 20:28 . 2008-07-07 20:28 <DIR> d-------- C:\Program Files\Bethesda Softworks
2008-07-07 16:24 . 2008-07-07 16:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-07-07 16:09 . 2008-07-07 16:09 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-07 15:12 . 2008-07-07 15:12 244 --ah----- C:\sqmnoopt07.sqm
2008-07-07 15:12 . 2008-07-07 15:12 232 --ah----- C:\sqmdata07.sqm
2008-07-07 15:11 . 2008-07-07 15:11 244 --ah----- C:\sqmnoopt06.sqm
2008-07-07 15:11 . 2008-07-07 15:11 232 --ah----- C:\sqmdata06.sqm
2008-07-07 15:10 . 2008-07-07 15:10 244 --ah----- C:\sqmnoopt05.sqm
2008-07-07 15:10 . 2008-07-07 15:10 244 --ah----- C:\sqmnoopt04.sqm
2008-07-07 15:10 . 2008-07-07 15:10 232 --ah----- C:\sqmdata05.sqm
2008-07-07 15:10 . 2008-07-07 15:10 232 --ah----- C:\sqmdata04.sqm
2008-07-07 15:09 . 2008-07-07 15:09 244 --ah----- C:\sqmnoopt03.sqm
2008-07-07 15:09 . 2008-07-07 15:09 232 --ah----- C:\sqmdata03.sqm
2008-07-07 15:08 . 2008-07-07 15:08 244 --ah----- C:\sqmnoopt02.sqm
2008-07-07 15:08 . 2008-07-07 15:08 244 --ah----- C:\sqmnoopt01.sqm
2008-07-07 15:08 . 2008-07-07 15:08 232 --ah----- C:\sqmdata02.sqm
2008-07-07 15:08 . 2008-07-07 15:08 232 --ah----- C:\sqmdata01.sqm
2008-07-07 15:07 . 2008-07-07 15:07 244 --ah----- C:\sqmnoopt00.sqm
2008-07-07 15:07 . 2008-07-07 15:07 232 --ah----- C:\sqmdata00.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-03 18:52 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-02 14:08 --------- d-----w C:\Program Files\Steam
2008-08-01 13:26 --------- d-----w C:\Program Files\EA GAMES
2008-07-31 06:56 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-07-30 21:42 --------- d-----w C:\Program Files\McAfee
2008-07-14 17:29 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-07-11 16:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-08 20:09 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-07-07 19:39 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-07-07 19:39 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-07-07 18:02 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-06-24 16:30 --------- d-----w C:\Documents and Settings\Admin\Application Data\SiteAdvisor
2008-06-22 15:25 --------- d-----w C:\Documents and Settings\Admin\Application Data\U3
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-08 11:15 --------- d-----w C:\Program Files\Sun
2008-06-08 11:14 --------- d-----w C:\Program Files\Java
2008-06-08 11:14 --------- d-----w C:\Program Files\Common Files\Java
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-11-12 22:40 30,422,984 ----a-w C:\Program Files\avg75free_503a1171.exe
1999-07-07 00:00 6 --sh--r C:\WINDOWS\@@desktop.dat
2007-04-07 12:53 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

------- Sigcheck -------

2008-03-28 22:41 1033216 eab949680618b5cc38c36b9b589e01b4 C:\WINDOWS\explorer.exe
2008-03-30 11:39 1033216 6b814745605311d34c96d0d761e01a91 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2008-03-30 11:40 1032192 56395b7ee32a0255791a762f42b56a27 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2008-03-30 11:49 1033216 eab949680618b5cc38c36b9b589e01b4 C:\WINDOWS\system32\dllcache\explorer.exe

2008-03-28 22:41 15360 c0d8f1fd68da02c61c5315aa0831aeaa C:\WINDOWS\system32\ctfmon.exe
2008-03-30 11:49 15360 c0d8f1fd68da02c61c5315aa0831aeaa C:\WINDOWS\system32\dllcache\ctfmon.exe

2008-03-30 11:37 57856 37ae41395d281f3506d911e04cf754ec C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2008-03-30 11:39 57856 c40d3055a8db3289c4e923c152688543 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2008-03-30 11:47 57856 81c899c11242ea35cb77792978cd4934 C:\WINDOWS\system32\spoolsv.exe
2008-03-30 11:52 57856 81c899c11242ea35cb77792978cd4934 C:\WINDOWS\system32\dllcache\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-03-28 22:41 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-03-23 23:01 171448]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-07-08 20:58 289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-18 16:40 7561216]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-04-18 16:40 86016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 20:12 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-08-24 22:57 36640]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 06:42 1164576]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-07-07 20:39 185896]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-07-16 09:16 1166216]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-28 22:41 16050688 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2008-03-28 23:47 2882560 C:\WINDOWS\SkyTel.exe]
"nwiz"="nwiz.exe" [2008-03-28 23:47 1519616 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-03-28 22:41 15360]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Autodesk\\Maya2008\\bin\\maya.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\Bf2_w32ded.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\WINDOWS\\system32\\userinit.exe"=
"C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Documents and Settings\\Admin\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Documents and Settings\\Admin\\Program Files\\BitTorrent\\BitTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-05-03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-08-03 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2008-03-28 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]

2008-03-28 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{95DEA057-EFA7-48E6-BDD1-91457F651EA8} - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-03 20:00:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-03 20:05:28
ComboFix-quarantined-files.txt 2008-08-03 19:05:20

Pre-Run: 38,249,648,128 bytes free
Post-Run: 38,275,981,312 bytes free

241 --- E O F --- 2008-07-13 17:31:23



Deckard's System Scanner v20071014.68
Run by New Admin Shaggy on 2008-08-03 20:40:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as New Admin Shaggy.exe) ------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-03 20:42:24
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\RTHDCPL.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\Documents and Settings\New Admin Shaggy\Desktop\dss.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spyware Doctor\pctsTray.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} () - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_06) - http://sdlc-esd.sun.com/ESD42/JSCDL/jre/6u...ows-i586-jc.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} () - http://crucial.com/controls/cpcScanner.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: McAfee Application Installer Cleanup (0172591217454195) (0172591217454195mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\017259~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\msksrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe


--
End of file - 10749 bytes

-- Files created between 2008-07-03 and 2008-08-03 -----------------------------

2008-08-03 14:50:18 0 d-------- C:\VundoFix Backups
2008-08-03 13:13:12 0 d-------- C:\cmdcons
2008-08-03 13:12:35 68096 --a------ C:\WINDOWS\zip.exe
2008-08-03 13:12:35 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-03 13:12:35 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-03 13:12:35 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-03 13:12:35 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-03 13:12:35 98816 --a------ C:\WINDOWS\sed.exe
2008-08-03 13:12:35 80412 --a------ C:\WINDOWS\grep.exe
2008-08-03 13:12:35 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-03 10:03:17 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Sun
2008-08-02 14:55:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-08-02 14:55:49 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Uniblue
2008-08-02 11:04:24 0 d-------- C:\WINDOWS\BDOSCAN8
2008-08-01 20:59:11 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Help
2008-08-01 20:52:21 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-08-01 17:45:16 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\Malwarebytes
2008-08-01 16:23:23 0 d-------- C:\Program Files\Common Files\PC Tools
2008-08-01 16:22:53 0 d-------- C:\Program Files\Spyware Doctor
2008-08-01 16:22:53 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\PC Tools
2008-08-01 16:21:32 119808 --a------ C:\Program Files\VundoFix.exe <Not Verified; Atribune.org; VundoFix>
2008-08-01 15:26:30 0 d-------- C:\Documents and Settings\Admin\Application Data\Malwarebytes
2008-08-01 15:19:23 2015 -r-h----- C:\WINDOWS\system32\drivers\hosts
2008-08-01 15:18:59 0 d-------- C:\Program Files\Common Files\Download Manager
2008-08-01 15:16:51 0 dr-h----- C:\Documents and Settings\Administrator.HIPOINT.001\Recent
2008-08-01 15:15:19 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-31 19:17:20 0 dr-h----- C:\Documents and Settings\New Admin Shaggy\Recent
2008-07-31 17:10:36 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-31 16:58:39 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Malwarebytes
2008-07-31 16:58:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-31 12:50:34 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-07-31 12:40:13 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Talkback
2008-07-31 12:39:37 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Mozilla
2008-07-31 12:39:23 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Real
2008-07-31 08:25:19 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Macromedia
2008-07-31 08:03:44 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Adobe
2008-07-31 07:59:50 0 d--h----- C:\Documents and Settings\Administrator.HIPOINT.001\Templates
2008-07-31 07:59:50 0 dr------- C:\Documents and Settings\Administrator.HIPOINT.001\Start Menu
2008-07-31 07:59:50 0 dr-h----- C:\Documents and Settings\Administrator.HIPOINT.001\SendTo
2008-07-31 07:59:50 0 d--h----- C:\Documents and Settings\Administrator.HIPOINT.001\PrintHood
2008-07-31 07:59:50 1572864 --ah----- C:\Documents and Settings\Administrator.HIPOINT.001\NTUSER.DAT
2008-07-31 07:59:50 0 d--h----- C:\Documents and Settings\Administrator.HIPOINT.001\NetHood
2008-07-31 07:59:50 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\My Documents
2008-07-31 07:59:50 0 d--h----- C:\Documents and Settings\Administrator.HIPOINT.001\Local Settings
2008-07-31 07:59:50 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Favorites
2008-07-31 07:59:50 0 d-------- C:\Documents and Settings\Administrator.HIPOINT.001\Desktop
2008-07-31 07:59:50 0 d--hs---- C:\Documents and Settings\Administrator.HIPOINT.001\Cookies
2008-07-31 07:59:50 0 dr-h----- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data
2008-07-31 07:59:50 0 d---s---- C:\Documents and Settings\Administrator.HIPOINT.001\Application Data\Microsoft
2008-07-13 18:48:49 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\AVSMedia
2008-07-13 18:31:35 638976 --a------ C:\WINDOWS\system32\divx.dll <Not Verified; DivXNetworks, Inc.; DivX Video for Windows Codec>
2008-07-08 21:12:51 0 d-------- C:\Documents and Settings\Admin\Program Files
2008-07-08 21:12:48 0 d-------- C:\Documents and Settings\Admin\Application Data\BitTorrent
2008-07-08 21:09:05 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\DAEMON Tools
2008-07-08 20:59:41 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\BitTorrent
2008-07-08 20:58:57 0 d-------- C:\Program Files\DNA
2008-07-08 20:58:57 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\DNA
2008-07-08 20:58:55 0 d-------- C:\Program Files\BitTorrent
2008-07-08 17:58:30 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\Talkback
2008-07-08 17:58:17 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\Mozilla
2008-07-08 17:48:06 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\Real
2008-07-07 20:40:00 0 d-------- C:\Program Files\Common Files\xing shared
2008-07-07 20:39:32 0 d-------- C:\Program Files\Real
2008-07-07 20:39:28 0 d-------- C:\Program Files\Common Files\Real
2008-07-07 20:39:25 0 d-------- C:\Documents and Settings\Admin\Application Data\Real
2008-07-07 20:39:12 0 d-------- C:\Documents and Settings\Admin\Application Data\Talkback
2008-07-07 20:38:34 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-07 20:38:17 0 d-------- C:\Documents and Settings\Admin\Application Data\Mozilla
2008-07-07 20:28:10 0 d-------- C:\Program Files\Bethesda Softworks
2008-07-07 16:24:15 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-07-07 16:09:46 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-07 16:09:46 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-07 16:09:46 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-07 16:09:46 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-07-07 16:09:46 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-07 16:09:46 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-07 16:09:46 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-07 16:09:46 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-07-07 16:09:46 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-07 16:09:46 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-07 16:09:46 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-07 16:09:46 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-07-07 16:09:46 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-07 16:09:46 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-04 08:00:50 0 dr-h----- C:\Documents and Settings\Admin\Recent


-- Find3M Report ---------------------------------------------------------------

2008-08-03 19:58:27 0 d-------- C:\Program Files\Common Files
2008-08-02 15:08:07 0 d-------- C:\Program Files\Steam
2008-08-01 17:53:35 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\Adobe
2008-08-01 14:26:14 0 d-------- C:\Program Files\EA GAMES
2008-07-30 22:42:42 0 d-------- C:\Program Files\McAfee
2008-07-14 18:29:31 0 d-------- C:\Program Files\Common Files\AVSMedia
2008-07-11 17:18:27 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-07 19:02:39 0 d-------- C:\Program Files\Windows Live Toolbar
2008-06-08 12:20:21 0 d-------- C:\Documents and Settings\New Admin Shaggy\Application Data\Sun
2008-06-08 12:15:10 0 d-------- C:\Program Files\Sun
2008-06-08 12:14:58 0 d-------- C:\Program Files\Java
2008-06-08 12:14:04 0 d-------- C:\Program Files\Common Files\Java


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [28/03/2008 22:41 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [28/03/2008 23:47 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [18/04/2006 16:40]
"nwiz"="nwiz.exe" [28/03/2008 23:47 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [18/04/2006 16:40]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 03:06]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [01/11/2007 20:12]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [24/08/2007 22:57]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [30/11/2007 06:42]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28/03/2008 23:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [25/03/2008 04:28]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07/07/2008 20:39]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [16/07/2008 09:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [28/03/2008 22:41]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [23/03/2008 23:01]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [08/07/2008 20:58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc




-- End of Deckard's System Scanner: finished at 2008-08-03 20:53:21 ------------

Would you mind shedding some light on why it's running so slow, even though the viruses have been removed?

#10 mumumash

mumumash
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 04 August 2008 - 04:01 AM

Hi Kandah

On looking around, I found that I had spyware doctor's intelli-guard and mcafees firewall running at the same time. I uninstalled Spyware Doctor and now my PC is running fine when not in Safe Mode. I don't want to speak too soon, anything else I can do to be sure I'm completely fine?

Thanks

Mumumash

#11 mumumash

mumumash
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 04 August 2008 - 08:30 AM

Hi

Really sorry to have posted three times in a row, but I feel I should keep you posted. I have a limited user account (my main account) and a administrator account (mainly used to get rid of viruses.) If I perform a MBAM scan in my limited user account, a Fake.Beep.Sys is found in C:/Windows/System32/DLLCache/beep.sys. MBAM tells me it will remove on reboot, but its still there the next time I scan after reboot. If I perform a scan in administrator, I am informed that I have no infections. As you can imagine removing a virus is extremely difficult in limited user as there are many restrictions to files being deleted. Also, I don't see a DLLCache in System32. I attempted to change the limited account to an administrator account so I could tackle the problem, but the limited account doesn't show up in the user list in User Accounts in Control Panel. :thumbsup: Need advice, I think this is probably the last of all the viruses I had.

Edited by mumumash, 04 August 2008 - 08:34 AM.


#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:39 AM

Posted 04 August 2008 - 06:13 PM

Which account have wew been using?
The one that has Combofix on it?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:39 AM

Posted 16 August 2008 - 08:48 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users